File name:

rust-stealer-xss.exe

Full analysis: https://app.any.run/tasks/6b606f4c-8048-4a30-828b-39302c3a4b9e
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 24, 2025, 18:41:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
rust
rustystealer
stealer
antivm
telegram
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

C4A91BAA7EEBC3F856BA50D20F6CCFD5

SHA1:

4E2C61AA9BA4BB96638FA0D81FF22D4A4A446DE3

SHA256:

8AC509A776A326180877DC44636081E21F58C89431477EF2A38DB10AD6BD15D1

SSDEEP:

98304:yl89K7w8sPbnkPpkM/3Q4ge+z9t2+8VQgexrm5Mx0n34e30fEW1WsTp4PbBqU1XA:9C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RUSTYSTEALER has been detected (YARA)

      • rust-stealer-xss.exe (PID: 4428)

    • Actions looks like stealing of personal data

      • rust-stealer-xss.exe (PID: 4428)

    • Steals credentials from Web Browsers

      • rust-stealer-xss.exe (PID: 4428)

  • SUSPICIOUS

    • The process hides Powershell's copyright startup banner

      • rust-stealer-xss.exe (PID: 4428)

    • The process hide an interactive prompt from the user

      • rust-stealer-xss.exe (PID: 4428)

    • Checks for external IP

      • svchost.exe (PID: 2196)

    • There is functionality for taking screenshot (YARA)

      • rust-stealer-xss.exe (PID: 4428)

    • The process bypasses the loading of PowerShell profile settings

      • rust-stealer-xss.exe (PID: 4428)

    • Starts POWERSHELL.EXE for commands execution

      • rust-stealer-xss.exe (PID: 4428)

    • There is functionality for VM detection VirtualBox (YARA)

      • rust-stealer-xss.exe (PID: 4428)

    • There is functionality for VM detection VMWare (YARA)

      • rust-stealer-xss.exe (PID: 4428)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • rust-stealer-xss.exe (PID: 4428)

  • INFO

    • Reads the computer name

      • rust-stealer-xss.exe (PID: 4428)

    • Checks proxy server information

      • rust-stealer-xss.exe (PID: 4428)

    • Create files in a temporary directory

      • rust-stealer-xss.exe (PID: 4428)

    • Checks supported languages

      • rust-stealer-xss.exe (PID: 4428)

    • Application based on Rust

      • rust-stealer-xss.exe (PID: 4428)

    • Creates files or folders in the user directory

      • rust-stealer-xss.exe (PID: 4428)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2196)

    • Reads the software policy settings

      • rust-stealer-xss.exe (PID: 4428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (46.3)
.exe | Win64 Executable (generic) (41)
.exe | Win32 Executable (generic) (6.6)
.exe | Generic Win/DOS Executable (2.9)
.exe | DOS Executable Generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:24 18:40:54+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.4
CodeSize: 3153920
InitializedDataSize: 1192960
UninitializedDataSize: -
EntryPoint: 0x2f5d51
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #RUSTYSTEALER rust-stealer-xss.exe svchost.exe powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4428"C:\Users\admin\AppData\Local\Temp\rust-stealer-xss.exe" C:\Users\admin\AppData\Local\Temp\rust-stealer-xss.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rust-stealer-xss.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
5548"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exerust-stealer-xss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7176\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7276C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7308"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 907
Read events
4 907
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
5548powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sno5uujk.iby.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5548powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:6432C76D07FDFC6A124969CF97CFEF92
SHA256:2480C3E83DC909707E16C00094CC7BB2DA2B7D4FAE4E62FCEF1990C227050186
4428rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\Historybinary
MD5:0B2213BCE3950F1E95FEEB8E8B3B9543
SHA256:71DB3D87713A320BA9FD3043392509B430630CFCF574EE84118406D6471CFC5A
4428rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\CreditCardDatabinary
MD5:95FFD778940E6DF4846B0B12C8DD5821
SHA256:21A2DEBD389DB456465DFEFFDB15F0AF3FBC46F007CBA67513A13EB10D14E94F
4428rust-stealer-xss.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
4428rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\g8k2pvzuN5T2yQghO1ScOph43lyWA7\user_info.txttext
MD5:DA076E23881031F8927B7D13272B5EEB
SHA256:57FC5AF6E1A742167A52AD465416B49C50D64AE3104E5218ACAFEF0FE855BA45
4428rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\Web Databinary
MD5:95FFD778940E6DF4846B0B12C8DD5821
SHA256:21A2DEBD389DB456465DFEFFDB15F0AF3FBC46F007CBA67513A13EB10D14E94F
4428rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\g8k2pvzuN5T2yQghO1ScOph43lyWA7\Cookies\Edge_Default_Network.txttext
MD5:124208B1E20B032232A1D2CFD9FB7FB2
SHA256:11ED4035932D29152B219B2DB1D3F51DBEE23DC21599DBD406B36626B98C5AF6
4428rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\g8k2pvzuN5T2yQghO1ScOph43lyWA7\Passwords\Firefox_qnq0haq7.default.txttext
MD5:4C211B9F71FB2F0076AE2C47637E2CB6
SHA256:0467F00B4C01E39D41BCB60010B7078595C48DDC5F0AF52D90D7BA1DB8A8C178
4428rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\Login Databinary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
21
DNS requests
15
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.55.236.70:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.215.121.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.215.121.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4428
rust-stealer-xss.exe
GET
200
195.201.57.90:80
http://195.201.57.90:80/?output=json
unknown
unknown
7856
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7856
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.55.236.70:80
crl.microsoft.com
AKAMAI-AS
US
whitelisted
23.215.121.133:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.215.121.133:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4428
rust-stealer-xss.exe
195.201.57.90:80
ipwho.is
Hetzner Online GmbH
DE
malicious
6544
svchost.exe
40.126.31.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
23.63.118.230:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4428
rust-stealer-xss.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.55.236.70
  • 23.55.236.72
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.microsoft.com
  • 23.215.121.133
  • 2.16.253.202
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
ipwho.is
  • 195.201.57.90
malicious
login.live.com
  • 40.126.31.128
  • 20.190.159.68
  • 20.190.159.75
  • 40.126.31.73
  • 40.126.31.0
  • 40.126.31.129
  • 20.190.159.64
  • 40.126.31.131
whitelisted
ocsp.digicert.com
  • 23.63.118.230
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
4428
rust-stealer-xss.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
4428
rust-stealer-xss.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rust-stealer-xss.exe